06-17-2006 03:07 AM - edited 02-21-2020 12:58 AM
I wonder whether any of the experts in this group can help me.
I have three sites (a 'central' one, and two remotes), each with a single subnet, and that are interconnected with a PIX-PIX IPsec VPN mesh. The whole thing has worked flawlessly since originally set up a few months ago, in that it provides intervisibility between IP hosts at each of the three sites.
I now have to move some of the servers at the central site to their own subnet on their own VLAN (named 'Databases' at 192.168.3.0/24). I need to be able to provide connectivity to hosts on the Databases subnet/VLAN from the two remote sites. However, I just have not been able to make this work.
With the central and remote configurations that are attached, if I do 'debug packet Databases' and then ping a host on the Databases VLAN at Central from the remote site, I can see the echo packet being sent to the host on the Databases subnet/VLAN, and I can see the echo reply being sent back from that host to the central PIX.
I can also see the hitcount increment on the
access-list Databases_acl permit icmp any any echo-reply
rule (that is generated from the object group named 'ICMP-allowed') on the central PIX.
However, I do not see the encapsulated packets count increment on the PIX at the central site end of the IPsec SA with the remote site that originated the ping. And, needless to say, the host from which I sent the ping does not see any response.
Can anybody point me at what I've got wrong in the attached configs. Note that other required access to the Databases subnet/VLAN from the 10.0.0.0/24 subnet at the central site, and from two other subnets, 10.0.1.0/24 and 10.0.2.0/24, (that are each connected via a router) all works fine. The problem is only with the VPN-connected sites that have the 10.0.3.0/24 and 10.0.4.0/24 subnets on their inside interfaces. I realise that, in what follows, some of the ACLs show signs of my increasing desperation to get the required setup working:
Thanks.
Tim Levy
06-21-2006 08:29 AM
If "access-list DMZ1" shows hits but crypto ACL ("outside_cryptomap_21_acl") does not - this suggests NAT issue, even though config looks fine to me, though difficult to read.
"show local [Database_server_IP]" will show how it's being NATed.
Could you upload output of "show cry ips sa" from central and remote PIXs?
06-21-2006 01:46 PM
Hi Grant, thanks for your reply.
> If "access-list DMZ1" shows hits but crypto ACL ("outside_cryptomap_21_acl")
> does not - this suggests NAT issue, even though config looks fine to me,
> though difficult to read.
It's the 'Databases' VLAN and access-list that is at issue. There is no problem
with the DMZ1 VLAN/ACL.
> "show local [Database_server_IP]" will show how it's being NATed.
: show local 192.168.3.20
: Interface DMZ1: 1 active, 1 maximum active, 0 denied
: Interface Databases: 1 active, 1 maximum active, 0 denied
: Interface inside: 22 active, 39 maximum active, 0 denied
> Could you upload output of "show cry ips sa" from
> central and remote PIXs?
Attached.
Thanks again.
Tim Levy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide